Home > IT Blogs > TotalCIO > Add virtualization licensing to list of cloud security risks
>>VIEW ALL POSTS  

TotalCIO

«
»
May 25 2011   6:41PM GMT

Add virtualization licensing to list of cloud security risks



Posted by: Christina Torode
CIO, Cloud computing

We’ve written quite a bit about the need for changes to software virtualization licensing terms to uncouple them from the physical hardware and accommodate the dynamic, shared computing environments that virtualization has made possible. Many vendors’ licensing terms remain outdated because they prohibit the movement of workloads or the divvying up of resources.

This counters some of the benefits of moving to a cloud model and adds another snag to a long list of cloud security risks on the minds of CIOs and CISOs.

Michael Daly, deputy CISO and director of IT security services for Raytheon, said that it’s a two-sided security coin: Vendors and SaaS providers want to make sure that you are truly using only the licenses allowed to you by contract, but how do you prove usage in an environment in which usage is fluid?

What it comes down to is validation, said Daly. The vendors want to know that you are not “fibbing” about usage, “but the alternative is that you [give] all these vendors — and you might have hundreds of products in this [virtual/cloud computing environment] — oodles of usage data about every movement your business makes.”

That’s too much information to be giving away, and then some. “It might even not be legitimate for you to be giving it away under some SEC rule, because you might be giving away stock-affecting information about how many customers you have at any given time,” he said.

Daly’s advice to other CISOs and CIOs is to minimize cloud security risk by negotiating a contract that lets you test your hosted environment for vulnerabilities and change simple things such as passwords.

“Get friendly with a lawyer,” he said. “Walk through the contract language to make sure there is flexibility in there, and that you understand what happens financially when you do want to make a change to that environment.”

In our coverage next week, SearchCIO.com will explore how corporate information security practices change when a virtual cloud environment is added to the mix.

In the meantime, here’s more food for thought from experts and CIOs grappling with cloud security risks:

  • Are you beholden to the security practices of the cloud provider, or is there room to change the rules to suit your needs?

  • If your data is housed on a shared cloud, does it still meet the mandates of certain regulations?

  • Do cloud providers need to create more modular environments for their customers to prevent potential data sharing mix ups between customers?

Let us know what you think about the blog post; email Christina Torode, News Director.

  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post

Leave a comment:

JeanneMorain  |   Jun 4, 2011  1:03 AM (GMT)

During my research for my book – Visible Ops Private Cloud – http://tinyurl.com/3q8mfzz – we quickly discovered that there were many gaps preventing Enterprise IT from leveraging Public Clouds. Of those the license implications of Cloud Bursting (sending workloads from an on premise to an off premise cloud) are one of the biggest hurdles cited by the 30+ companies interviewed.

Flexera has been posting a series of articles on the topic and working closely with industry leaders to expand capabilities in this area. There have been recent changes by some industry leaders such as Microsoft to add more mobility capabilities for a limited number of their products. There is still quite a bit more that is needed for a standardized approach. The Distributed Management Task Force – http://www.dmtf.org has an initiative to address standards in this area currently underway. If you are interested in learning more about implications read our blog – http://tinyurl.com/42almzy